Closed Bug 1679581 Opened 3 years ago Closed 2 years ago

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:390

Categories

(Core :: Graphics: WebRender, defect, P2)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file, 2 obsolete files)

testcase.html
291 bytes, text/html
Details
Attached file testcase.html (obsolete) —

Hit MOZ_CRASH(called Option::unwrap() on a None value) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:390

#0 0x7f6fbe4fee75 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f6fbe4fee75 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f6fbe4fee24 in mozglue_static::panic_hook::h6e70bafc479dc06d src/mozglue/static/rust/lib.rs:89:9
#3 0x7f6fbe4fe74b in core::ops::function::Fn::call::h01fce3a141895069 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f6fbf4c4ea7 in std::panicking::rust_panic_with_hook::haa1ed36ada4ffb03 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:573:17
#5 0x7f6fbf4c4a58 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h7001af1bb21aeaeb /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:476:9
#6 0x7f6fbf4bfecb in std::sys_common::backtrace::__rust_end_short_backtrace::h39910f557f5f2367 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/sys_common/backtrace.rs:153:18
#7 0x7f6fbf4c4a18 in rust_begin_unwind /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:475:5
#8 0x7f6fbf52adc0 in core::panicking::panic_fmt::h4e2659771ebc78eb /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/core/src/panicking.rs:85:14
#9 0x7f6fbf52ad0c in core::panicking::panic::h4b079e3c35cc1b09 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/core/src/panicking.rs:50:5
#10 0x7f6fbdfdce76 in webrender::renderer::Renderer::draw_frame::hc1c13f2343c96251 src/gfx/wr/webrender/src/renderer.rs
#11 0x7f6fbdfb0c33 in webrender::renderer::Renderer::render_impl::he83997d099c56357 src/gfx/wr/webrender/src/renderer.rs:3663:17
#12 0x7f6fbdfadf0a in webrender::renderer::Renderer::render::he364f654a8330632 src/gfx/wr/webrender/src/renderer.rs:3414:30
#13 0x7f6fbdd0630c in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:614:11
#14 0x7f6fb7e21b6e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:193:8
#15 0x7f6fb7e20944 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:488:31
#16 0x7f6fb7e203bf in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:325:3
#17 0x7f6fb7e294de in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1096:12
#18 0x7f6fb7e294de in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1102:12
#19 0x7f6fb7e294de in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:13
#20 0x7f6fb6dc7acf in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:465:9
#21 0x7f6fb6dc8615 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:473:5
#22 0x7f6fb6dc88ba in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:548:13
#23 0x7f6fb6dc92a0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
#24 0x7f6fb6dc7793 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#25 0x7f6fb6dc76ad in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#26 0x7f6fb6dc76ad in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#27 0x7f6fb6dd5937 in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
#28 0x7f6fb6dd0ea9 in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#29 0x7f6fcbbb2608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
#30 0x7f6fcb77b292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Attached file prefs.js (obsolete) —
Keywords: bugmon

A Pernosco session is available here: https://pernos.co/debug/57gOsGlBEZCilL1UIdPXBg/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201127155321-c42696dc97c6.
The bug appears to have been introduced in the following build range:

Start: 5e54b29e93d4ff891bcb3d7461c57ddef351e437 (20200507193514)
End: 5ffbc60264521aa053e4be8baf715c515202546f (20200507195409)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5e54b29e93d4ff891bcb3d7461c57ddef351e437&tochange=5ffbc60264521aa053e4be8baf715c515202546f

Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1628175
Has Regression Range: --- → yes

S3 because impact unclear; P2 because highly actionable, because Pernosco

Severity: -- → S3
Flags: needinfo?(gwatson)
Priority: -- → P2

This doesn't appear to occur in current m-c, with either sw-wr or hw-wr. Can anyone else confirm?

Flags: needinfo?(gwatson) → needinfo?(jimb)

I can't reproduce this from the test case, either.

But the test case is based on a magic number (setting height to 73189319), so it wouldn't surprise me if it were sensitive to resource limits.

Does the Pernosco trace help?

Flags: needinfo?(jimb)
Attached file testcase.html
Attachment #9190047 - Attachment is obsolete: true
Attachment #9190048 - Attachment is obsolete: true

How about this test case? The fuzzers have reported this many times so I have lots to work with.

status-firefox86: fix-optionalwontfix
status-firefox88: --- → wontfix
status-firefox89: --- → affected
status-firefox90: --- → affected
Flags: needinfo?(jimb)
Flags: needinfo?(gwatson)

Unfortunately that one also doesn't repro locally for me (tried regular + full debug builds), changing layout.css.devPixelsPerPx and also changing resolution (1080p and 4k). Are there any other preferences I should try tweaking that you can think of? Are you able to get a pernosco session for that new test case?

Flags: needinfo?(gwatson)

(In reply to Glenn Watson [:gw] from comment #9)

Are there any other preferences I should try tweaking that you can think of?

I can't think of any prefs that might make a difference.

Are you able to get a pernosco session for that new test case?

Sure, I will attach link when it's ready.

A Pernosco session is available here: https://pernos.co/debug/WXomgmyLDEI2uKBj5vopoQ/index.html

Got a crash from the testcase : https://crash-stats.mozilla.org/report/index/bc39a68b-bbf3-4562-809a-e742c0210607#tab-bugzilla

Crash Signature: [@ webrender::renderer::Renderer::draw_frame ]
See Also: → 1730695

Can't repro a crash, but I see glitches when zooming in and out: Parts of the black box remain.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201127155321-c42696dc97c6) but not with tip (mozilla-central 20211105214712-019196b56630.)
Failed to bisect testcase (Start build didn't crash!):

Start: c42696dc97c623acea5083ffcfef03a5f990756a (20201127155321)
End: 019196b56630ab8806c88dcd890fcc3a13817084 (20211105214712)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I'm also not able to reproduce using the test case from comment 7.

Flags: needinfo?(jimb)

The fuzzers last reported this while fuzzing with m-c 20211104-50e4a4e6975a.

So maybe it was fixed by: https://bugzilla.mozilla.org/show_bug.cgi?id=1730695#c17

I'm happy to close this if that is ok with you.

Flags: needinfo?(jimb)
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jimb)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: